Competent authorities must withdraw a crypto‑asset service provider's authorisation where it was unused for 12 months; the provider renounced it; no services were provided for nine consecutive months; the authorisation was obtained by irregular means (including false statements); the provider no longer meets conditions and failed to remedy; the provider lacks effective systems to prevent money‑laundering and terrorist financing in accordance with Directive (EU) 2015/849; or the provider has seriously infringed this Regulation, including protections for holders or clients and market integrity. Authorities may also withdraw for breaches of national law transposing Directive (EU) 2015/849 or where payment or e‑money authorisation has been lost and not remedied within 40 days.

On withdrawal the competent authority shall notify ESMA and host Member State single points of contact without undue delay and ESMA will publish the information in the Article 109 register. Withdrawal may be limited to a particular crypto‑asset service. Before withdrawing, authorities must consult competent authorities of other Member States where the provider is a subsidiary of, a subsidiary of the parent undertaking of, or controlled by the same persons as, an authorised provider there; they may consult the authority supervising AML/CTF compliance. EBA, ESMA and host supervisors may request a home authority review. Providers must maintain procedures to ensure timely transfer of clients' crypto‑assets and funds when authorisation is withdrawn.